Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #54

July 10, 2007

The first story this week provides a direct and authoritative link between cyber crime and terrorism. WashingtonPost.com's Brian Krebs did an extraordinary job of getting the full story out of the law enforcement people. Although this isn't the first such proof, it reinforces the point that terrorists are exploiting lapses in cybersecurity to raise money to buy their bombs.

INVITATION FOR PROGRAMMERS TO THE EXAM THAT DEMONSTRATES SECURE PROGRA

Free Whitepaper: The Missing Link in Your Security Solution Time is the enemy in a cyber attack. Only a rapid, automated response can make the difference between a minor incident and significant damage. Learn how to protect, detect and respond to cyber threats with this free whitepaper. Brought to you by ArcSight, the leader in compliance and security management.http://www.sans.org/info/10641 ************************************************************************* TRAINING UPDATE SANS Network Security in Las Vegas, Sept. 22-30, now open for registration at http://www.sans.org/ns2007 Complete schedule: http://www.sans.org/index.php *************************************************************************

TOP OF THE NEWS

The three men who recently entered guilty pleas to charges of using the Internet to incite murder apparently used fraudulently obtained credit card information to fund their activity. This is the first major case to draw a definitive link between terrorism and cyber crime. The group used phishing attacks and Trojan horse programs to steal the card information and used the data to pay for web hosting services, GPS devices, night vision goggles, pre-paid cell phones and airplane tickets. The three men charged more than US $3.5 million on the stolen cards. -http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501945_pf.html[Editor's Note (Multiple): The authors of GAO's flawed report on the lack of importance of data breaches might do well to read this article. (Kreitner): I hope people who think credit card fraud is just a matter of personal inconvenience and the credit card industry players who complain about the PCI Data Security Standard will let this information sink in. (Shpantzer): It's only natural for terrorist networks to adapt to the latest criminal methods to support their activities. This is financial support for terrorists through crime, which is really nothing new at all. The only twist is that phishing and trojan horses are involved on the internet, instead of other types of organized crime like counterfeiting and drug dealing. ]

Court Rules Belgian ISP Must Block P2P Filesharing (July 4 & 6, 2007)

In what is being hailed as a landmark European legal ruling, Belgian court has ordered the ISP Scarlet to block all peer-to-peer (P2P) traffic on its network. The case was brought by Sabam, which represents authors and composers in Belgium. The court ruled that Scarlet had a variety of available technologies from which to choose to block the offending traffic. The court maintains the ruling does not require Scarlet to monitor its network. Scarlet has six months in which to supply Sabam in writing with plans for deploying blocking measures. Failure to comply will result in a fine of 2,500 Euros (US $3,405) a day. -http://www.vnunet.com/vnunet/news/2193670/isp-block-illegal-p2p-traffic-http://www.sabam.be/website/data/Communiques_de_presse/SABAM_vs_TISCALI_engl.pdf[Editor's Note (Ullrich): Many organizations have tried to block P2P and failed. P2P traffic is hard to define and usually requires sophisticated (and expensive) content based packet filtering devices to detect and stop. Scarlet as an ISP will have a hard time implementing such a filter effectively. It may be a sign of copyright laws gone overboard. Like regular copy machines, P2P networks can be used to share illegal as well as legal content. (Guest Editor's Note - Frantzen): This case is a continuation of an earlier case covered here: -http://www.edri.org/edrigram/number2.23/p2p

Symantec has found evidence that credit card fraudsters are making small donations to charities, presumably to test the cards' validity. If the transaction clears, the credit card thieves know the card information they have is functional. Small charitable donations are unlikely to raise fraud flags among credit card security monitors. -http://www.forbes.com/technology/2007/07/09/hackers-charity-creditcards-tech-cx_ag_0709hack.html-http://www.networkworld.com/news/2007/070607-credit-card-thieves.html[Editor's Note (Ullrich): This is potentially very expensive for charities. Charities will have to deal with refunds after fraud is detected and face potentially higher discount rates. A reasonable defense may be to return to the user a "donation accepted" message even if the credit card is marked as stolen/fraudulent. That way, charity sites will lose their value for this activity. ]

During a radio interview, Google global privacy chief Peter Fleischer said the company's retained search query data falls under the purview of security, not privacy. Therefore, according to Fleischer, the European Union's (EU) Article 29 Working Party holds no sway over Google's data retention policy. Google justifies its data retention policy by maintaining that the EU's Data Retention Directive requires it, but the Article 29 Working Party says the directive does not apply. Even the security arm of the EU government structure says the directive does not apply because search queries contain content, not traffic and location data. Fleischer said that even if the directive were not in effect, Google would maintain its data retention policy. -http://www.theregister.co.uk/2007/07/06/google_data_retention_/print.html-http://www.vnunet.com/vnunet/news/2193694/google-bashes-protection-bodies************************ Sponsored Links: ***************************** 1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack!"- White Paperhttp://www.sans.org/info/10646

POLICY & LEGISLATION

FCC Rule Puts Brakes on Software-Defined Radio (July 6, 2007)

A Federal Communications Commission (FCC) rule may slow down the availability of software-defined radio devices. At issue is the security of the "open-source elements" on which the devices are based. The FCC has received at least one petition asking that they retreat from their position. The technology is already in use in military and public safety arenas. -http://news.com.com/2102-1041_3-6195102.html?tag=st.util.print

South Africa Considering Tough Anti-Spam Law (June 24, 2007)

South African legislators are considering a bill that would impose harsh penalties on those convicted of sending spam. The Protection of Personal Information Bill defines email addresses and cell phone numbers as private information; sending unsolicited commercial messages to either without express written permission would be illegal. Perpetrators could be fined or face prison sentences of up to 10 years. -http://www.24.com/news/?p=tsa&i=565876

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Buffer Overflow Flaws in SAP Products (July 9, 2007)

Users of several SAP software packages are encouraged to upgrade to the newest versions of the products to protect their systems from a handful of vulnerabilities. The security flaws include buffer overflow vulnerabilities in EnjoySAP GUI, SAP's Message Server and SAP DB Web Server, and a flaw in SAP Web Application Server that could be exploited to cause a denial-of-service condition. -http://www.theregister.co.uk/2007/07/09/sap_update/print.html

Group Launches Up Vulnerability Auction Website (July 5 & 6, 2007)

The founders of vulnerability auction web site WabiSabiLabi maintain it will strengthen security because "researchers" will be paid "a fair price" for their work instead of providing their work gratis or selling the flaws to cyber criminals. For the first six months, the site will be free to use. After the initial period, buyers and sellers will be assessed a 10 percent fee. Buyers and sellers both must preregister, presumably to be vetted, and to ensure the site's purpose is not misused. WabiSabiLabi will test the vulnerabilities in their laboratory before putting them on the auction site; they will be accompanied by a proof-of-concept exploit. -http://www.zdnet.co.uk/misc/print/0,1000000169,39287912-39001093c,00.htm-http://www.heise-security.co.uk/news/92258-http://news.bbc.co.uk/2/hi/technology/6276474.stm-http://www.vnunet.com/vnunet/news/2193550/security-exchange-trades-zero-http://www.theregister.co.uk/2007/07/06/security_flaw_marketplace/[Editor's Note (Ullrich): A couple of legitimate companies (iDefense and 3COM) will already pay researchers a reasonable amount of money. However, these companies will also forward the information to the author of the software, which will help fix the actual problem. This new auction site has no such provision. While I fully agree that we need to find a better way to compensate and protect researchers, this auction site doesn't look like the right way as it does not release vulnerability information to vendors. (Ranum): This is purely and simply about cashing in on security flaws - it shows the real agenda of the vulnerability researchers: money. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Tapes Hold Girl Scout Data (July 9, 2007)

Girl scouts and their families in the metro Denver, Colorado area are being alerted that their personally identifiable information was on tapes stolen from a car on June 27. The information was from the Girl Scouts Mile Hi Council membership database, and includes names, addresses, phone numbers, members' schools and a small number of credit card and Social Security numbers (SSNs) from camp and event registrations. The data theft affects those whose information was in the database between 2003 and 2007. -http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_5621147,00.html

STATISTICS, STUDIES & SURVEYS

"The European Commission is expected to pass the European directive on Data Protection this year, which would require companies to inform all customers and regulators of any data security breaches. However, it could take years for ... European countries to adopt this directive into law." More than three-quarters of IT security professionals surveyed at the Infosec 2007 conference believe organizations should be required by law to notify customers and regulators about data security breaches. Of those in favor of a law, 49 percent believe notification should occur immediately. A separate survey found that 82 percent of consumers expected to be notified immediately in the event of a breach; 53 percent said they would stop conducting business with the entity that suffered the breach. -http://www.computerworlduk.com/management/government-law/legislation/news/index.cfm?newsid=3924[Editor's Note (Kreitner): It is hard to be optimistic about the ability of legislative bodies to keep up with the consequences of society's increasing dependence on information technology. ]

INVITATION FOR PROGRAMMERS TO THE EXAM THAT DEMONSTRATES SECURE PROGRA

INVITATION TO THE EXAM THAT DEMONSTRATES SECURE PROGRAMMING SKILLS

This is the promised invitation for your contractors to participate in the secure programming assessment on August 14 in Washington, DC.

Who may send programmers to the assessment? Each government contractor that is building or maintaining web applications written in Java or other applications written in C may send up to three programmers to the exam.

What does the assessment measure? It measures the degree of mastery of the basics of secure programming. One test measures Java secure programming, and one measures C secure programming The attachments to this note provide the blueprints showing exactly what areas are assessed?

Will the results be confidential? Yes. Only the test taker will receive the results.

What value will programmers who take the test gain? They will learn the areas in which their secure coding skills are strong and the areas in which they need more review. If they score high enough (about 62%) they will be among the first programmers to earn a GSSP (GIAC Secure Software Programmer) certification. Contractors who do especially well may also want to share their results with their government clients to demonstrate to their clients that they have programmers who really know how to write secure code.

Should programmers cram for the assessment? That would not be useful because the exam measures programming rules that most programmers who write code should already know. Moreover, the assessment will tell you in which areas you need additional knowledge so it will be cost-effective to use the assessment to determine which areas need study and then focus on those. SANS is creating online mini-courses for each area of the exams so that programmers can quickly master the topics in which the assessment showed they need more knowledge.

Where and when is the exam and how long is it? Bothe the Java and C exams are being held at the Marriott Wardman Park in Washington DC (near the Washington Zoo Metro Stop) on August 14 at 9 AM. It has 100 questions and will take approximately 3 hours.

What types of questions are on the exam? They are multiple choice questions. Some include code samples; others ask about techniques and concepts.

Here are sample questions for Java:

1. The Java synchronized keyword is important to security because of which of the following:

A. It allows two different functions to execute simultaneously. B. It prevents multiple developers from writing the same block of code. C. It allows the class to be loaded as soon as the JRE starts. D. It prevents multiple threads from accessing a block of code at the same time. (CORRECT) Explanation: The synchronized keyword ensures that only one thread of execution is accessing a given block of code at a given time. The subtleties of concurrent programming are often overlooked by developers.

2. Consider the following 'Session Fixation' attack scenario: An attacker browses to a website and receives a JSESSIONID without logging in. Then embeds that ID in a link and emails it to a victim. The victim clicks on the link and proceeds to login, using the JSESSIONID that is known by the attacker. The attacker can now masquerade as the victim.

Which of the following best mitigates this threat?

A. Users should be instructed not to click on links in email. B. The application should provide a new JSESSIONID to each user when they authenticate. (CORRECT) C. Users should be required to enter text that is represented in a garbled graphic, proving they are human. D. The application server should be configured to expire the JSESSIONID very quickly to reduce the window of opportunity.

Explanation: Session Ids can be embedded in a link as described in the scenario and many applications don't protect them with SSL until a user authenticates. But in both cases the session Id may have already been compromised. Therefore, it should not be used to represent an authenticated user, they should be issued a new one upon authentication. This is not, nor can it be, done by J2EE, it is the application developer's responsibility.

You may also attend the Application Security Summit where users from T. Rowe Price to Kaiser to Cisco, will share what they have learned about developing application security initiatives. Yes. See -http://www.sans.org/appsummit07/

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/